CVE-2026-48592 PUBLISHED

Missing authorization check on save-job event handler in oban_web

Assigner: EEF
Reserved: 22.05.2026 Published: 26.05.2026 Updated: 27.05.2026

Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.DetailComponent' modules) allows unauthorized job worker substitution.

The handle_event("save-job", ...) handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller's privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job's worker field with any other existing Oban.Worker module in the application. On the job's next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one.

This issue affects oban_web: from 2.12.0 before 2.12.5.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	oban-bg
Product	oban_web
Versions	Default: unaffected affected from 2.12.0 to 2.12.5 (excl.)

Vendor	oban-bg
Product	oban_web
Versions	Default: unaffected affected from a17bc8c31286c9d516e2892cf5483d1c95e65d6c to ab3c5d1d3eba06c62045f16f2cd7781c7752e248 (excl.)

Affected Configurations

The Oban.Web dashboard must be deployed and accessible to users with less than full job-management privileges (e.g. :read_only).

Credits

Peter Ullrich finder
Parker Selbert remediation developer
Jonatan Männchen analyst

References

Problem Types

CWE-862 Missing Authorization CWE

Impacts

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs